Additional Materials:

Contact:

What GAO Found

The Transportation Security Administration (TSA) has inconsistently overseen and enforced its rail security incident reporting requirement because it does not have guidance and its oversight mechanisms are limited, leading to considerable variation in the types and number of incidents reported. Though some variation is expected in the number and type of incidents reported because of differences in rail agency size, location, and ridership, local TSA inspection officials have provided rail agencies with inconsistent interpretations of the reporting requirement. For example, local TSA officials instructed one rail agency to report all incidents related to individuals struck by trains. However, local TSA officials responsible for another rail agency said these incidents would not need to be reported as they are most often suicides with no nexus to terrorism. Providing guidance to local TSA inspection officials and rail agencies on the types of incidents that are to be reported could improve consistency across different TSA field offices. GAO also found inconsistency in TSA compliance inspections and enforcement actions because TSA has not utilized limited headquarters-level mechanisms as intended for ensuring consistency in these activities. TSA's rail security inspection policies do not specify inspection frequency but call for performing a "reasonable number" of inspections. However, 3 of the 19 rail agencies GAO contacted were not inspected from January 2011 through June 2012, including a large metropolitan rail agency, although local officials said it was unlikely that no incidents had occurred at that agency. Without inspections, TSA's assurance that rail agencies are reporting security incidents, as required, is reduced. In addition, TSA took enforcement action against an agency for not reporting an incident involving a knife, but did not take action against another agency for not reporting similar incidents, though the agency had been inspected. Enhancing headquarters-level mechanisms for overseeing inspection and enforcement actions in the field could help ensure more consistency in these activities and improve TSA's ability to use the information for trend analysis.

TSA has not conducted trend analysis of rail security information, and weaknesses in TSA's rail security incident data management system, including data entry errors, inhibit TSA's ability to search and extract information. Data entry errors occur in part because the guidance provided to officials responsible for entering incident information does not define the available data field options. Without the ability to identify information from the data, such as the number of incidents reported by incident type, TSA faces challenges determining if patterns or trends exist. Additional guidance for officials who enter the incident information could help to reduce data entry errors and improve users' ability to search and extract information from the system, ultimately improving TSA's ability to analyze the incident information. These weaknesses notwithstanding, TSA has made limited use of the incident information it has collected, in part because it does not have a systematic process for conducting trend analysis. TSA's purpose for collecting the rail security incident information was to allow TSA to "connect the dots" by conducting trend analysis. TSA has used the rail security incident information for situational awareness, but has conducted limited analysis of the information, missing an opportunity to identify any security trends or patterns in the incident information, or to develop recommended security measures to address any identified issues.

Why GAO Did This Study

Terrorist attacks on foreign passenger rail systems, which include rail transit and intercity rail, have underscored the importance of collecting and analyzing security incident information to identify potential vulnerabilities. Within the federal government, TSA is the primary agency responsible for overseeing and enhancing passenger rail security, and has several programs to fulfill this responsibility. In 2008, TSA issued a regulation requiring U.S. passenger rail agencies to report all potential threats and significant security concerns to TSA, among other things. GAO was asked to assess the extent to which (1) TSA has overseen and enforced this reporting requirement and (2) TSA has analyzed passenger rail security incident information to identify security trends. GAO reviewed TSA policy documents, guidance, and incident data from January 2011 through June 2012, and interviewed federal officials and security officials from 19 passenger rail agencies. GAO selected these agencies, in part, because of their ridership volume. The results of these interviews are not generalizable but provide insights.

What GAO Found

GAO recommends, among other things, that TSA (1) develop guidance on the types of incidents that should be reported, (2) enhance existing oversight mechanisms for compliance inspections and enforcement actions, (3) develop guidance to reduce errors from data entry problems, and (4) establish a process for regularly conducting trend analysis of incident data. TSA concurred and is taking actions in response.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: In September 2013, TSA disseminated written guidance to local TSA inspection officials and rail agencies that provides clarification about the requirements of the rail security incident reporting process. This guidance includes examples and descriptions of the types of incidents that should be reported under the regulatory criteria, as well as details about the type of information that should be included in the incident report provided to the Transportation Security Operations Center. This guidance will help ensure that the rail security incident reporting process is consistently implemented and enforced. Therefore, this recommendation is closed as implemented.

Recommendation: To help ensure that the rail security incident reporting process is consistently implemented and enforced, the Administrator of TSA should develop and disseminate written guidance for local TSA inspection officials and rail agencies that clarifies the types of incidents that should be reported to the TSA's Transportation Security Operations Center (TSOC).

Comments: As of August 2013, TSA has enhanced the utilization of the Surface Regional Security Inspectors (RSI) by providing them with the ability to review both passenger and freight rail inspections in the Performance and Results Information System (PARIS) before the inspections are finalized and enforcement action is taken. TSA established an RSI-dashboard report that provides weekly, monthly, and quarterly information about the number inspections that have been reviewed, accepted, and rejected. TSA also developed a mechanism for tracking the recommendations RSIs make to local TSA inspection officials regarding changes to local compliance inspections, as well as any actions that are taken in response. This mechanism allows the RSIs to provide management oversight of passenger and freight rail regulatory inspections and enforcement actions, which helps ensure that these regulations are consistently implemented and enforced. Therefore, this recommendation is closed as implemented.

Recommendation: To help ensure that the rail security incident reporting process is consistently implemented and enforced, the Administrator of TSA should enhance and utilize existing oversight mechanisms at the headquarters level, as intended, to provide management oversight of local compliance inspections and enforcement actions.

Comments: In March 2013, TSA established a process for updating TSA's incident management system, WebEOC, when previously unreported incidents are discovered through compliance activities. To carry out this process, the agency created an Office of Security Operations Surface Detailee position. This position is responsible for ensuring that rail security incidents recorded in the compliance database, PARIS, are also captured in the WebEOC database. This action will improve the accuracy and completeness of the incident data in WebEOC. Therefore, this recommendation is closed as implemented.

Recommendation: To help fulfill TSA's stated purpose for collecting rail security incident information and improve the accuracy and completeness of the incident data in TSA's incident management system, WebEOC, the Administrator of TSA should establish a process for updating the database when incidents that had not previously been reported are discovered through compliance activities.

Comments: In October 2014, TSA officials reported that they have taken actions to develop additional guidance for Transportation Security Operations Center (TSOC) officials to help reduce the number of data entry errors in TSA's incident management system, WebEOC. This includes an updated Surface Guide, which contains clear definitions and examples for each type of incident. TSA also revised the incident types available in their data management system, WebEOC, and created a link to the Surface Guide definitions. These actions help ensure the accuracy and completeness of the incident data in WebEOC. Therefore, this recommendation is closed as implemented.

Recommendation: To help fulfill TSA's stated purpose for collecting rail security incident information and improve the accuracy and completeness of the incident data in TSA's incident management system, WebEOC, the Administrator of TSA should develop guidance for TSOC officials that includes definitions of data entry options to reduce errors resulting from data entry problems.

Comments: In October 2014, TSA officials reported that they had developed a new capability for identifying trends in the rail security incident data, known as the Surface Compliance Trend Analysis Network (SCAN). SCAN is designed to identify linkages between incidents captured in various sources of data, assemble detailed information about these incidents, and accurately analyze the data to enhance the agency's ability to detect impending threats. According to TSA officials, SCAN consists of three elements: two rail security inspector detailees located at the Transportation Security Operations Center (TSOC), a new rail security incident analysis product (known as a trend analysis report) for rail industry stakeholders, and enhanced IT capabilities. According to TSA, one of the key functions of the rail security inspector detailees is to continuously look for trends and patterns in the rail security incident data that is reported to TSOC, and to coordinate with other TSA components to conduct further investigations into potential trends. If the detailees (or others at TSA) identify potential rail security-related trends, TSA reports the information in a Trend Analysis Report, which is provided to rail industry stakeholders. The Trend Analysis Report integrates incident information from WebEOC with information from multiple other sources, including TSA's compliance database and media reports, and provides rail agencies and other stakeholders with analysis of possible security issues that could affect operations as a result of these trends. The IT improvements TSA has made to its incident management system (known as WebEOC), including steps to improve the completeness and accuracy of the data and the ability to produce basic summary reports, should facilitate this type of continuous trend analysis. These efforts to better utilize rail security information from both open source data and incidents reported directly to TSOC should better position TSA to provide valuable analysis on rail security incidents and to develop recommended security measures for rail agencies, if appropriate. Therefore, this recommendation is closed as implemented.

Recommendation: To help fulfill TSA's stated purpose for collecting rail security incident information and improve the accuracy and completeness of the incident data in TSA's incident management system, WebEOC, the Administrator of TSA should establish a systematic process for regularly conducting trend analysis of the rail security incident data, in an effort to identify potential security trends that could help the agency anticipate or prevent an attack against passenger rail and develop recommended security measures.